Beispiel #1
0
        public MainForm()
        {
            // Sets up stealth calls for native funcs to try to avoid api hooking
            NativeStealth.SetStealthMode(NativeStealthType.ManualInvoke);

            InitializeComponent();
            UIThemeManager.OnThemeChanged(this, OnThemeChanged_Implementation);
            this.SetThemeAware();
            MaximizeBox = true;
            MinimizeBox = true;
        }
Beispiel #2
0
        /// <summary>
        /// Set correct module section permissions.
        /// </summary>
        /// <author>Ruben Boonen (@FuzzySec)</author> (modified for external ProcessEx)
        /// <param name="PEINFO">Module meta data struct (PE.PE_META_DATA).</param>
        /// <param name="ModuleMemoryBase">Base address of the module in memory.</param>
        /// <returns>void</returns>
        public void MMSetModuleSectionPermissions(PE_META_DATA PEINFO, IntPtr ModuleMemoryBase, byte[] rawData)
        {
            // Apply RO to the module header
            IntPtr BaseOfCode = PEINFO.Is32Bit ? (IntPtr)PEINFO.OptHeader32.BaseOfCode : (IntPtr)PEINFO.OptHeader64.BaseOfCode;

            NativeStealth.VirtualProtectEx(Handle, ModuleMemoryBase, BaseOfCode.ToInt32(), (int)Native.PAGE_READONLY, out _);

            // Apply section permissions
            foreach (IMAGE_SECTION_HEADER ish in PEINFO.Sections)
            {
                bool isRead       = (ish.Characteristics & DataSectionFlags.MEM_READ) != 0;
                bool isWrite      = (ish.Characteristics & DataSectionFlags.MEM_WRITE) != 0;
                bool isExecute    = (ish.Characteristics & DataSectionFlags.MEM_EXECUTE) != 0;
                uint flNewProtect = 0;
                if (isRead & !isWrite & !isExecute)
                {
                    flNewProtect = Native.PAGE_READONLY;
                }
                else if (isRead & isWrite & !isExecute)
                {
                    flNewProtect = Native.PAGE_READWRITE;
                }
                else if (isRead & isWrite & isExecute)
                {
                    flNewProtect = Native.PAGE_EXECUTE_READWRITE;
                }
                else if (isRead & !isWrite & isExecute)
                {
                    flNewProtect = Native.PAGE_EXECUTE_READ;
                }
                else if (!isRead & !isWrite & isExecute)
                {
                    flNewProtect = Native.PAGE_EXECUTE;
                }
                else
                {
                    throw new InvalidOperationException(DSTR(DSTR_UNK_SEC_FLAG, ish.Characteristics));
                }

                // Calculate base
                IntPtr pVirtualSectionBase = (IntPtr)((UInt64)ModuleMemoryBase + ish.VirtualAddress);
                IntPtr ProtectSize         = (IntPtr)ish.VirtualSize;

                // Set protection
                NativeStealth.VirtualProtectEx(Handle, pVirtualSectionBase, ProtectSize.ToInt32(), (int)flNewProtect, out _);
            }
        }
Beispiel #3
0
        public bool TryMapModule(out PointerEx hModule)
        {
            var sModule = new PEImage(RawDLL);

            hModule = NativeStealth.VirtualAllocEx(HostProcess.Handle, 0, (uint)sModule.Headers.PEHeader.SizeOfImage, Native.AllocationType.Commit | Native.AllocationType.Reserve, Native.MemoryProtection.ReadOnly);
            if (!hModule)
            {
                throw new Exception("Unable to allocate enough memory to map the module");
            }
            try
            {
                MMLoadDependencies(sModule, hModule);
            }
            catch
            {
                if (HostProcess.Handle)
                {
                    ProcessEx.VirtualFreeEx(HostProcess.Handle, hModule, (uint)sModule.Headers.PEHeader.SizeOfImage, (int)FreeType.Release);
                }
                throw;
            }
            ModuleHandle = hModule;
            return(true);
        }